Detecting malicious network content using virtual environment components

ABSTRACT

Malicious network content is identified based on the behavior of one or more virtual environment components which process network content in a virtual environment. Network content can be monitored and analyzed using a set of heuristics. The heuristics identify suspicious network content communicated over a network. The suspicious network content can further be analyzed in a virtual environment that includes one or more virtual environment components. Each virtual environment component is configured to mimic live environment components, for example a browser application component or an operating system component. The suspicious network content is replayed in the virtual environment using one or more of the virtual environment components. The virtual environment component behavior is analyzed in view of an expected behavior to identify malicious network content. The malicious network content is then identified and processed.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of U.S. patent applicationSer. No. 11/409,355, filed Apr. 20, 2006 now U.S. Pat. No. 8,171,553,entitled “Heuristic Based Capture with Replay to Virtual Machine”, whichis a continuation-in-part of U.S. patent application Ser. No.11/096,287, filed Mar. 31, 2005 now U.S. Pat. No. 8,528,086, entitled“System and Method of Detecting Computer Worms”, and is acontinuation-in-part of U.S. patent application Ser. No. 11/151,812,filed Jun. 13, 2005 now U.S. Pat. No. 8,549,638, entitled “System andMethod of Containing Computer Worms,” and is a continuation-in-part ofU.S. patent application Ser. No. 11/152,286, filed Jun. 13, 2005 nowU.S. Pat. No. 8,006,305, entitled “Computer Worm Defense System andMethod”; U.S. patent application Ser. No. 11/096,287 claims the benefitof U.S. Provisional Application No. 60/559,198, filed Apr. 1, 2004, U.S.patent application Ser. No. 11/151,812 claims the benefit of U.S.Provisional Application No. 60/579,953, filed Jun. 14, 2004, and U.S.patent application Ser. No. 11/152,286 claims the benefit of U.S.Provisional Application No. 60/579,910, filed Jun. 14, 2004.

BACKGROUND

Presently, malicious network content (e.g., malicious software ormalware) can attack various devices via a communication network. Forexample, malware may include any program or file that is harmful to acomputer user, such as bots, computer viruses, worms, Trojan horses,adware, spyware, or any programming that gathers information about acomputer user or otherwise operates without permission.

Adware is a program configured to direct advertisements to a computer ora particular user. In one example, adware identifies the computer and/orthe user to various websites visited by a browser on the computer. Thewebsite may then use the adware to either generate pop-up advertisementsor otherwise direct specific advertisements to the user's browser.Spyware is a program configured to collect information regarding theuser, the computer, and/or a user's network habits. In an example,spyware may collect information regarding the names and types ofwebsites that the user browses and then transmit the information toanother computer. Adware and spyware are often added to the user'scomputer after the user browses to a website that hosts the adwareand/or spyware. The user is often unaware that these programs have beenadded and are similarly unaware of the adware and/or spyware's function.

Various processes and devices have been employed to prevent the problemsthat malicious network content can cause. For example, computers ofteninclude antivirus scanning software that scans a particular clientdevice for viruses. Computers may also include spyware and/or adwarescanning software. The scanning may be performed manually or based on aschedule specified by a user associated with the particular computer, asystem administrator, and so forth. Unfortunately, by the time a virusor spyware is detected by the scanning software, some damage on theparticular computer or loss of privacy may have already occurred.Additionally, it can take weeks or months for new Anti-Virus signaturesto be manually created and for an anti-virus application to be updated.Moreover, polymorphic exploits are also an issue that limits theeffectiveness of some anti-virus applications.

In some instances, malicious network content comprises a bot. A bot is asoftware robot configured to remotely control all or a portion of adigital device (e.g., a computer) without authorization by the digitaldevice's legitimate owner. Bot related activities include botpropagation and attacking other computers on a network. Bots commonlypropagate by scanning nodes (e.g., computers or other digital devices)available on a network to search for a vulnerable target. When avulnerable computer is scanned, the bot may install a copy of itself.Once installed, the new bot may continue to seek other computers on anetwork to infect. A bot may also be propagated by a malicious web siteconfigured to exploit vulnerable computers that visit its web pages.

A bot may also, without the authority of the infected computer user,establish a command and control communication channel to receiveinstructions. Bots may receive command and control communication from acentralized bot server or another infected computer (e.g., via apeer-to-peer (P2P) network established by a bot on the infectedcomputer). When a plurality of bots (i.e., a bot net) act together, theinfected computers (i.e., zombies) can perform organized attacks againstone or more computers on a network, or engage in criminal enterprises.In one example, bot infected computers may be directed to flood anothercomputer on a network with excessive traffic in a denial-of-serviceattack. In another example, upon receiving instructions, one or morebots may direct the infected computer to transmit spam across a network.In a third example, bots may host illegal businesses such aspharmaceutical websites that sell pharmaceuticals without aprescription.

Malicious network content may be distributed over a network via websites, e.g., servers operating on a network according to an HTTPstandard. Malicious network content distributed in this manner may beactively downloaded and installed on a user's computer, without theapproval or knowledge of the user, simply by accessing the web sitehosting the malicious network content. The web site hosting themalicious network content may be referred to as a malicious web site.The malicious network content may be embedded within data associatedwith web pages hosted by the malicious web site. For example, a web pagemay include JavaScript code, and malicious network content may beembedded within the JavaScript code. In this example, the maliciousnetwork content embedded within the JavaScript code may be obfuscatedsuch that it is not apparent until the JavaScript code is executed thatthe JavaScript code contains malicious network content. Therefore, themalicious network content may attack or infect a user's computer beforedetection by antivirus software, firewalls, intrusion detection systems,or the like.

SUMMARY

The behavior of one or more virtual environment components which processnetwork content in a virtual environment is used to identify maliciousnetwork content. Network content can be monitored and analyzed using aset of heuristics. The heuristics identify suspicious network contentcommunicated over a network. The suspicious network content can furtherbe analyzed in a virtual environment that includes one or more virtualenvironment components. Each virtual environment component is configuredto mimic live environment components, for example a browser applicationcomponent or an operating system component. The suspicious networkcontent is replayed in the virtual environment using one or more of thevirtual environment components. The virtual environment componentbehavior is analyzed in view of an expected behavior. Malicious networkcontent is detected based on observed component behavior that deviatesfrom an expected behavior. The malicious network content is thenidentified and processed.

An embodiment detects malicious network content by receiving networkcontent detected to be suspicious. A virtual environment componentwithin a virtual environment is then configured to mimic a realapplication. The real application is configured to process thesuspicious network content. The suspicious network content is thenprocessed by the virtual environment component within a virtualenvironment. Suspicious network content can be identified as maliciousnetwork content based on a behavior for the virtual environmentcomponent. A computer readable storage medium can contain instructionsexecutable by a processor for detecting malicious network content.

An embodiment processes network content by receiving suspicious networkcontent. The suspicious network content is detected within a copy ofnetwork content communicated over a network. An agent is then configuredto monitor processing of the suspicious network content within a virtualenvironment. At least one virtual environment component is configured toprocess the suspicious network content within the virtual environment.An agent can detect an anomaly associated with the virtual environmentcomponent. A signature is then generated from the suspicious networkcontent to apply to subsequent network content.

An embodiment may include a system including a first module, a pool ofvirtual environment components, a scheduler and a replayer. The firstmodule can access suspicious network content. The scheduler can retrievea virtual environment component from the virtual environment pool. Thevirtual environment component can be configured to mimic a realapplication. The replayer processes the suspicious network content usingthe retrieved virtual environment component within a virtualenvironment.

BRIEF DESCRIPTION OF FIGURES

FIG. 1 is a block diagram of an exemplary malicious network contentdetection environment.

FIG. 2 is a block diagram of an exemplary virtual environment componentpool.

FIG. 3 is a block diagram of an exemplary virtual environment.

FIG. 4 is a flow chart of an exemplary method for detecting andprocessing malicious network content.

FIG. 5 is a flow chart of an exemplary method for configuring virtualenvironment components.

FIG. 6 is a flow chart of an exemplary method for replaying suspiciousnetwork content.

FIG. 7 is a flow chart of an exemplary method for detecting maliciousnetwork content.

FIG. 8 is a flow chart of an exemplary method for identifying andprocessing malicious network content.

FIG. 9 is a block diagram of an exemplary malicious network contentdetection device.

DETAILED DESCRIPTION

The present technology utilizes one or more virtual environmentcomponents to analyze network content in a virtual environment. Networkcontent can be monitored and analyzed using a set of heuristics. Theheuristics can identify suspicious network content communicated over anetwork between two or more computing devices. The suspicious networkcontent can further be analyzed in a virtual environment. The virtualenvironment may include one or more virtual environment componentsconfigured to mimic live environment components. The virtual environmentcomponents may include, for example, an application component such as abrowser application component, an operating system component, a networkcomponent or some other component. The suspicious network content isreplayed in the virtual environment using one or more of the virtualenvironment components. The virtual environment components can then beanalyzed in view of their expected behavior. Malicious network contentcan be detected based on observed component behavior that deviates froman expected behavior. The malicious network content can then beidentified and processed.

In some embodiments, a virtual environment component may be configuredas a browser application. The virtual environment browser applicationcan be configured to mimic a real browser application configured toreceive and transmit network content being monitored. For example, avirtual environment browser application can be configured with softwareplug-ins, add-ons, preferences, proxy information, and settingsassociated with a real browser application that communicates over anetwork. The behavior of the virtual environment browser application ismonitored while it is processing suspicious network content. When theactual or observed behavior of the virtual environment browserapplication differs from an expected behavior for the browserapplication, the suspicious network content processed by the virtualenvironment browser application can be designated as malicious networkcontent. For example, when suspicious network content downloaded to avirtual environment browser application initiates a request to a remoteserver without using a designated browser application proxy, the networkcontent can be designated as malicious.

In some embodiments, a virtual environment component may be configuredas an operating system of a computer. The virtual environment operatingsystem may be configured to mimic the appearance and performance of anoperating system of a computer that processes network traffic. Thevirtual environment operating system can be monitored during processingof suspicious network content to determine if settings or parameters areimproperly changed or the virtual environment operating system does notbehave as expected. If the observed behavior does not match the expectedbehavior, the network content processed by the virtual environmentoperating system is identified as malicious network content.Furthermore, if a setting, parameter, or other aspect of the virtualenvironment operating system is changed (or attempted to be changed)improperly, the current detection system may immediately generate asignature and apply the signature against future network content. Insome embodiments, a virtual environment component can include an agentthat monitors and/or observes changes to a virtual operating systemcomponent. Details of virtual environment components are discussed inmore detail below.

FIG. 1 is a block diagram of an exemplary malicious network contentdetection environment. The environment of FIG. 1 includes server 105 andclient 110 communicating over network 120. Network tap 115 is also incommunication with network 120 and may intercept communications sentover network 120, for example the communications between client 110 andserver 105. Network tap 115 can generate a copy of the interceptedcommunications and provide the copied communications to maliciousnetwork content detection system 125.

Network 120 may be implemented as the Internet or other WAN, a LAN,intranet, extranet, private network, public network, combination ofthese, or other network or networks.

Server 105 provides a network service over network 120. In someembodiments when network 120 is implemented as the Internet, server 105can provide a web service. Server 105 may include one or moreapplications 107 and operating system 109. In some embodiments,application 107 is a web application providing a web service overnetwork 120. Operating system 109 may be an operating system suitablefor use by a server, such as WINDOWS, LINUX, or NOVEL NETWARE operatingsystem.

Client 110 may execute one or more applications 112 on operating system114. In some embodiments, one or more applications on client 110 mayutilize a service provided by server 105 over network 120. In someembodiments, client 110 may utilize a web service provided over network120 by server 105. Application 112 may be any of several types ofapplications, such as a browser application, instant messagingapplication, e-mail application, an other application which cancommunicate over network 120 or is affected by network contentcommunicated to or from client 110 over network 120. Operating system114 may be any operating system suitable for a client 110, such asWINDOWS, UNIX, or other operating system.

Malicious network content detection system 125 includes heuristic module130, heuristics database 135, scheduler 140, virtual environmentcomponent pool 145 and virtual environments 150. The system 125 receivesa copy of network content from network tap 115. The network content mayinclude, for example, network data. The network content is then providedto heuristic module 130 which applies heuristics to received networkdata. Heuristics module 130 may access the heuristics from heuristicsdatabase 135. When application of the heuristics indicates that one ormore data packets of the network data have a suspicious characteristicor are otherwise suspicious, heuristic module 130 may provide thesuspicious data packets to scheduler 140. In some embodiments,suspicious data packets include data packets that might containmalicious network content. Examples of malicious network content includea worm, virus, trojan horse or other malicious code. Scheduler 140receives suspicious network content from heuristic module 130 andreplays the suspicious network content in virtual environment 150. Insome embodiments, “replay” of the suspicious network content includesprocessing the suspicious network content in a virtual environment 150that is configured to mimic the real environment in which the networkcontent was or was intended to be processed. Configuring the replay ofsuspicious network content can include retrieving one or more virtualenvironment components from virtual environment component pool 145,configuring the virtual components, providing the virtual components tovirtual environment 150, and executing playback of the suspiciousnetwork data.

Virtual environment component pool 145 contains a pool of differentcomponent types, such as applications, operating systems, and othercomponents. Virtual environment component pool 145 is discussed in moredetail below with respect to FIG. 3. Virtual environment 150 is used toreplay suspicious network content using one or more components. Virtualenvironment 150 is discussed in more detail below with respect to FIG.2. The operation of exemplary embodiments of a heuristic module,heuristics database, and scheduler are discussed in more detail in U.S.patent application Ser. No. 12/263,971, filed on Nov. 3, 2008, titled,“Systems and Methods for Detecting Malicious Network Content”, which isincorporated by reference herein in its entirety.

FIG. 2 is a block diagram of an exemplary virtual environment componentpool. In some embodiments, the virtual environment component pool ofFIG. 2 provides more detail for virtual environment component pool 145illustrated in FIG. 1. Virtual environment component pool 145 includesvirtual environment applications 205, virtual environment operatingsystems 210, virtual environment networks 215, and virtual environmentagents 220.

Each of virtual environment applications 205 may be configured to appearand perform as a real application which processes or is affected bynetwork data. Examples of virtual environment applications 205 include abrowser application, such as “Internet Explorer” by MicrosoftCorporation or “FireFox” by Mozilla, instant messaging application,client e-mail application, other applications that process datacommunicated over a network, and other applications. The virtualenvironment applications may be implemented as one or more templates ofa type of application, or a specific instance of a particularapplication. The virtual environment applications can be retrieved,configured and used within one or more virtual environments 150. Thebehavior of the virtual environment applications can be monitored andcompared to an expected behavior to determine whether or not anyvariances exist which may indicate malicious network content and/ordata.

Virtual environment operating system 210 can be implemented to appearand perform as any of several widely known operating systems forcomputers which process network data, for example WINDOWS, UNIX, orother operating systems. The virtual environment operating system may beconfigured to mimic a real operating system and monitor to detectattempted changes and actual changes to the operating system which areunexpected.

Virtual environment agent 220 can detect changes in a virtualenvironment component, such as a virtual environment application orvirtual environment operating system. In some embodiments, a virtualenvironment agent 220 may detect changes to a virtual environmentcomponent that are not made using a standard process, changes to virtualenvironment component settings that should not be changed, and otherchanges to a virtual environment component. For example, the virtualenvironment agent 200 may detect when a change is made to an operatingsystem setting using a non-standard process.

Virtual environment network 215 may be implemented to include a virtualswitch, an intranet, the Internet, or some other network. The virtualenvironment network 215 is configured with protocols that mimic the realnetwork in which the network data is communicated.

FIG. 3 is a block diagram of an exemplary virtual environment. In someembodiments, the exemplary virtual environment of FIG. 3 provides moredetail of virtual environment 150 of FIG. 1. Virtual environment 150includes replayer 305, virtual environment network 310, virtualenvironment operating system 315, virtual environment applications320-325, and virtual environment agent 330.

Replayer 305 replays network content in the virtual environment network310 by receiving and transmitting communications with virtualenvironment operating system 315 over virtual environment network 310.The communications can be processed by virtual environment operatingsystem 315 as well as by one or more virtual environment applications320-325. In some embodiments, suspicious network data is processed byoperating system 315 and virtual environment applications 320 and/or325. Virtual environment network 310 may receive suspicious network datafrom replayer 305 and provide the suspicious network data to virtualenvironment operating system 315. Virtual operating system 315 mayprocess the suspicious network content and optionally provide thesuspicious network content to a virtual environment application. In someembodiments, virtual operating system 315 is configured to mimic aserver or server applications, such as server 105, application 107 oroperating system 109. Processing suspicious network content in a virtualenvironment is discussed in more detail below with respect to the methodof FIG. 4.

Virtual environment network 310 may be retrieved from virtualenvironment component pool 145. The virtual environment network 310 maybe implemented to include a switch or a gateway, or some other softwareimplementation of a network which mimics an actual communicationsnetwork. In some embodiments, the virtual environment network 310 mayprocess and implement the transmission of data in a manner thatsimulates the processing and transmission of data by an actual network.In some embodiments, the communications processed through virtualenvironment network 310 are monitored. In some embodiments, implementinga virtual environment network 310 is optional, in which case replayer305 communicates with virtual environment operating system 315 directly.

Virtual environment operating system 315 is configured to mimic (e.g.,appear and perform in a similar manner) a real operating system, forexample an operating system 114 for client 110 that processes data overnetwork 120. In some embodiments, virtual environment operating system315 is implemented as code that emulates an operating system and caninteract with one or more virtual environment applications as an actualoperating system would. In some embodiments, the virtual environmentoperating system is implemented as an actual operating system executingwithin a virtual environment.

Virtual environment operating system 315 may communicate data betweenvirtual environment network 210 (or replayer 305) and one or morevirtual environment applications. For example, virtual environmentoperating system 315 may receive requests from a virtual environmentapplication, route the request to replayer 305, and route response data,for example suspicious network content data, from replayer 305 tovirtual environment application 220 or 225, respectively. In someembodiments, communications, settings and other parameters aspects ofthe behavior of virtual environment operating system 315 within virtualenvironment 150 are monitored. In some embodiments, virtual environmentoperating system 315 is optional.

Virtual environment applications 320 and 325 are each configured tobehave as an application that processes or is affected by networkcontent on a client computer or server. For example, a virtualenvironment application may be implemented as code that emulates a realapplication to mimic the behavior of the real application, for examplethe behavior of application 112 on client 110. In some embodiments, avirtual environment application may be implemented as a copy of theactual application which is executed within the virtual environment.

Virtual environment applications can be configured and controlled toreplicate the processing of suspicious content data. For example, whenreplaying suspicious content data, the virtual environment applicationcan be controlled to submit a request for data over a virtual network.At least a portion of the suspicious content data is transmitted to thevirtual environment application in response to the request. Replay ofsuspicious network data continues until the content data has beenreplayed in its entirety. The communications, settings and other aspectsof the behavior of virtual environment applications within virtualenvironment 150 can be monitored.

One or more virtual environment agents 330 can be configured to monitorthe behavior and/or state of one or more virtual environment components.In some embodiments, virtual environment component behavior can includerequests for data, sending or receiving data over a network, processingand/or storing data, or other operations performed the component. Insome embodiments, the virtual environment component state may include a“snapshot” of the virtual environment parameters and settings, forexample values for components settings, status of a portion componentportion (i.e., error conditions, interrupts, availability of a buffer),or values for settings or parameters for the component. For example, avirtual environment agent can monitor changes made to a virtualenvironment operating system 315. In some embodiments, if a setting ischanged to an improper value or an improper procedure is used to changea setting to the operating system, the agent can detect the codeassociated with suspicious network content which performed the change.

In addition to the network, operating system, application, and agentcomponents illustrated in virtual environment 150, other types ofvirtual environment components can be used within virtual environment150 to process suspicious network data. For example, a virtualenvironment 150 may include virtual environment hardware to mimic ahardware protocol, ports, or other behavior of an actual hardwaremachine.

The exemplary methods of FIGS. 4-8 relate to detecting and processingmalicious network content. Throughout the following discussion of FIGS.4-8, examples are occasionally discussed which relate to virtualenvironment components comprising a browser application and an operatingsystem. These exemplary references are for purposes of discussion onlyand are not intended to limit the scope of the present technology.

FIG. 4 is a flow chart of an exemplary method for detecting andprocessing malicious network content. The method of FIG. 4 begins withintercepting network content at step 405. Network tap 115 interceptsnetwork content sent over network 120 between server 105 and client 110.After intercepting network content, suspicious network content isidentified at step 410. Suspicious network content can be detected byheuristic module 130 as module 130 applies heuristics to network contentprovided by network tap 115. For example, if a heuristic applied byheuristic module 130 identifies a suspicious characteristic in thenetwork content, then the network content is considered suspicious.Exemplary methods for detecting suspicious network content usingheuristics and other methods are disclosed in U.S. patent applicationSer. No. 12/263,971, filed on Nov. 3, 2008, titled, “Systems and Methodsfor Detecting Malicious Network Content”, which is incorporated byreference herein in its entirety.

Virtual environment components and agents can be configured at step 415.Once identified, suspicious network data can be processed in a virtualenvironment by virtual environment components to determine if thesuspicious content should be identified as malicious. In someembodiments, one or more virtual environment agents may be used tomonitor the state or behavior of the virtual environment components.Scheduler 140 may configure virtual environment components by retrievingcomponents from virtual environment component pool 145 and configuringthe retrieved components to mimic real applications and other software.The agents can be configured to monitor the configured components.Configuring virtual environment components and agents is discussed inmore detail below with respect to FIG. 5.

Suspicious network content is accessed at step 420. The suspiciousnetwork content includes the content identified at step 410 and mayinclude data packets containing suspicious characteristics as well asrelated data packets. For example, suspicious network content mayinclude data packets comprising the request which resulted in a responsehaving a suspicious characteristic as well as additional data retrievedby the code containing the suspicious characteristic.

Suspicious network content is replayed using the virtual environmentcomponents at step 425. The suspicious network content is replayedwithin virtual environment 150 by replayer 305. In some embodiments,replaying virtual network content includes processing the suspiciousnetwork data by one or more virtual environment components withinvirtual environment 150. For example with respect to web page contenthaving suspicious content, replayer 305 transmits the suspicious networkcontent containing the suspicious characteristic to be processed by avirtual environment operating system and virtual environment browserapplication. The actual network content copied at step 405 is providedto the one or more of the virtual environment components illustrated inFIG. 3. More detail for replaying suspicious network content isdiscussed below with respect to the method of FIG. 6.

After replaying the suspicious network content, the virtual environmentcomponents are analyzed to detect malicious network content at step 430.In some embodiments, each virtual environment component is associatedwith an expected behavior. The expected behavior for a component iscompared to the behavior observed for the virtual environment componentas the component processed the suspicious network content. If there wasa difference between the observed behavior and the expected behavior,the suspicious network content is determined to be malicious networkcontent. More detail for detecting malicious network content byanalyzing virtual environment component behavior is discussed in moredetail below with respect to the method of FIG. 7.

After detecting malicious network content, the malicious network contentis identified and processed at step 435. In some embodiments, anidentifier is created for the malicious network content and furtherprocessing is performed to minimize damage resulting from the maliciousnetwork content. The further processing may include blocking subsequentnetwork data that resembles the identified malicious network content,removing the malicious network content from one or more clients within acomputer network, and other processing. Identifying and processingmalicious network content is discussed in more detail below with respectto FIG. 8.

FIG. 5 is a flow chart of an exemplary method for configuring virtualenvironment components. In some embodiments, the method of FIG. 5provides more detail for step 415 of the method of FIG. 4. First,components in a live environment are identified at step 505. Thecomponents may be identified on client 110, server 105, or some othermachine (real or virtual) or environment that processes or is affectedby network data communicated over network 120. The identification can beperformed by scheduler 140 based on information in network data, areporting server with information for one or more computers exposed tothe network content (e.g., computers that transmit or receive thesuspicious content), data stored locally on malicious network contentdetection system 125, or from some other source. Examples of realenvironment components include a browser application, electronicmessaging client, instant messaging client, an operating system, or someother software or hardware on a machine that accesses network content.

Each of steps 510-530 can be performed by scheduler 140 within system125. Virtual environment components are retrieved for the identifiedreal environment components at step 510. The virtual environmentcomponent can be associated with types of applications, operatingsystems, or other code that can be executed in a real environment. Thecomponents can be retrieved by scheduler 140 from virtual environmentcomponent pool 145.

The one or more virtual environment components may be configured tomimic a real environment application at step 515. Scheduler 140 canconfigure the component to mimic the appearance and behavior of the realenvironment application. The configuration can be such that anysuspicious code will not be able to detect a difference between the realcomponent and the virtual environment component application. Forexample, a virtual environment network application 320 can be configuredas Microsoft's “Internet Explorer” or Mozilla's “Firefox” browserapplication, wherein the component is configured with protocols, userpreferences, proxy addresses, encryption preferences, add-in code, andother settings that can correspond to an actual browser applicationexecuting on client 110.

In some embodiments, rather than execute code that mimics theapplication, a copy of the actual application is executed within thevirtual environment. Thus, the application is executed within a virtualoperating system, configured with settings and parameters associatedwith a real application.

Virtual environment components can be configured to mimic a realenvironment operating system at step 520. The virtual environmentoperating system may be configured to mimic an operating system used toprocess network data communicated over network 120 by server 104 orclient 110. For example, the component can be configured to mimicMicrosoft's “Windows” operating system. The configuration may includesetting a number of port addresses, settings, and other data.

Virtual environment components may then be configured to mimic the realenvironment network at step 525. Configuring a virtual environmentcomponent network may involve setting up protocols, and other featuresto mimic network 120. In some embodiments, the network may be configuredas a virtual switch, relay station, or some other network system forrelaying content data. The method of FIG. 5 then ends.

Virtual environment agents are retrieved and configured at step 530. Avirtual environment agent can be implemented as code which monitorscomponent behavior and settings in a virtual environment. The virtualenvironment agents may detect behaviors and changed settings as theyoccur and may detect whether the behaviors or setting changes areexpected or unexpected. If unexpected, the suspicious network contentwhich implemented or caused the change is identified as malicious.Identifying malicious code is discussed in more detail below.

In some embodiments, a virtual machine hardware component may beconfigured as well. In this case, the virtual machine hardware may beconfigured to mimic real hardware ports, settings, and other aspects ofthe actual hardware used to implement an operating system andapplication components.

FIG. 6 is a flow chart of an exemplary method for replaying suspiciousnetwork content. In some embodiments, the method of FIG. 6 provides moredetail for step 425 of the method of FIG. 4. The discussion of themethod of FIG. 6 will refer to an example regarding replaying networkcontent using a browser application.

An initial request is replayed from a virtual environment application toa virtual environment operating system at step 605. In some embodiments,the initial request is configured based on network content (for example,consisting of network data packets) copied by network tap 115. Forexample, network content may be stored for period of time. When one ormore network content data packets are determined to be suspicious, allnetwork content associated with the suspicious data packets areretrieved and replayed. For example, network content provided to anetwork browser application in response to a request may containsuspicious data packets. Once data packets in the response aredetermined to be suspicious, the request which generated the response aswell as other communications occurring after the response was receivedall retrieved in their entirety.

In some embodiments, the initial request is configured by replayer 305or scheduler 140 and sent from the virtual environment application 320to the replayer 305. Transmission of the initial request can result invirtual environment application behavior corresponding to the request.For example, for a network browser application, the request may initiatecreating of a cookie associated with the request. The cookie can includea timestamp for and an identifier associated with the request, as wellas creation of other data.

Suspicious network content is provided to a requesting virtualenvironment application at step 610. In response to the initial requestin step 605, the network content is transmitted to the virtualenvironment application to replicate transmission of the network contentto the requesting client in a real computing environment. For example,in reply to an HTTP request, the response may include HTTP packets,image data packets, and other content comprising a response to therequest. The data packets comprising the response are transmitted tovirtual operating system 315 by replayer 305 over virtual environmentnetwork 310. Virtual operating system 315 receives the content data,optionally processes the data, determines which virtual environmentapplication that will receive the data, and “transmits” the content datato the virtual environment application. For a virtual network browserapplication, the content data is transmitted to the browser applicationto be loaded as a web page or other content.

In some embodiments, the network content is not provided to a virtualenvironment operating system, but rather directly to the virtualenvironment application.

The suspicious network content is then processed by the virtualenvironment application at step 615. For example, a virtual environmentbrowser application may load web page data and image data, execute ascript, or provide flash video as included in the response data packets.

When the received network content contains code that is malicious(although it may not yet be identified as malicious before it isexecuted), the content is processed by the virtual environmentapplication just as it would be when the network content and maliciouscode would be executed by a real application. For example, maliciouscontent may consist of code consisting of an executable. When executedby the virtual environment browser application, the executable code mayattempt to transmit a message to a server, retrieve data within thelocal environment, change a setting in the virtual environment browserapplication, or perform some other operation.

While processing the suspicious network content, the virtual environmentapplication, operating system, network and other virtual environmentcomponents are monitored by one or more virtual environment agents 330at step 620. As suspicious network data is “replayed” by processing thenetwork data by the virtual environment components, the behavior of eachcomponent can be detected, logged, stored, reported and/or otherwisemonitored by an agent. One agent may monitor a single component ormultiple components.

For example, a virtual environment agent may detect behavior in avirtual environment browser application. When the virtual environmentbrowser receives and processes suspicious content data, the browserapplication may execute executable code within the data. The executablecode may attempt to transmit a message over the virtual network (i.e.,to replayer 305) improperly. For example, the executable may attempt tosend a message directly to a server instead of using a proxy addressspecified by the virtual environment browser application. A virtualenvironment agent monitoring the browser application may detect allrequests sent by the virtual browser application, and thereby detect theimproper request which did not go to the proxy address.

A virtual environment agent may also detect changes to an operatingsystem which are improper. For example, when executed by a virtualenvironment application, an executable or other code in received networkcontent may change or attempt to change an operating system setting,value, or otherwise change the virtual environment operating system. Thevirtual environment agent may detect the change or attempted change byintercepting or monitoring all changes to the virtual environmentoperating system. As another example, the operating system may receivedata to be stored. The data may comprise an executable, which mayattempt to access information, control an application, or perform someother function. When data received by the operating system for storageis an executable or other executable code, the execution of the data ismonitored by the agent to determine the effects of the data execution.

When monitoring data, a virtual environment agent may record informationregarding the effects and identification of the suspicious network datawhen the data is being processed in the virtual environment. Forexample, the virtual environment agent may identify application andoperating system settings and values affected by the suspicious networkcontent, values before and after they are affected during processing ofthe suspicious network content, changes to processes such as anoperating system “start-up” process, and other changes. The virtualenvironment agent may also identify a request made by the suspiciousnetwork content, including requests to transmit data over a network,requests for local data access, and other requests. This and other datamay be stored and/or reported by the virtual environment agent for laterprocessing.

FIG. 7 is a flow chart of an exemplary method for detecting maliciousnetwork content. In some embodiments, the method of FIG. 7 provides moredetail for step 430 of the method of FIG. 4 and is performed byscheduler 140. First, expected behavior for a virtual environmentcomponent such as an application, operating system and/or network isaccessed at step 705. The expected behavior data can be determined fromstored behavior patterns associated with each component. The behaviorpatterns may be accessed locally or remotely by scheduler 140. Forexample, a stored behavior pattern for a virtual environment networkbrowser can indicate that all requests to transmit over a network shouldbe directed towards a proxy address specified by the virtual environmentnetwork browser. A stored behavior pattern for an operating system canindicate parameter values that should not be changed as well as codethat should be invoked when attempting to change a particular parameter.

The actual behavior pattern of the virtual environment application oroperating system is then compared with the expected behavior pattern forthe application or operating system at step 710. The actual behavior maybe retrieved from data stored by one or more virtual environment agents330. For example, the expected behavior for transmitting a request by avirtual environment network browser can include sending a contentrequest to a proxy address set within the network browser settings. Theactual behavior may include a content request initiated by executablecode in the suspicious network content that attempts to transmit anetwork request directly.

If a difference is detected between the actual behavior and expectedbehavior at step 715, the suspicious network content is identified andprocessed as malicious network content at step 720. Identifying andprocessing malicious network content is discussed in more detail belowwith respect to FIG. 8. After identifying and processing the maliciousnetwork content, the method of FIG. 7 continues to step 725. In someembodiments, the suspicious network data is flagged to be identified andprocessed later and the operation of the method of FIG. 7 continues tostep 725.

If no difference is detected between the actual behavior and expectedbehavior at step 715, the actual behavior for a virtual environmentoperating system is compared to the expected behavior for the virtualenvironment operating system at step 725. For example, the expectedbehavior may involve a particular process changing an operating systemparameter value, when the actual behavior may attempt to change theoperating system parameter value without using the particular process.The actual behavior may involve an attempt to change the settings bycode executed by an application. If any difference is detected betweenthe actual behavior and the expected behavior for the virtualenvironment operating system, the suspicious network data associatedwith the actual behavior is identified and processed as maliciousnetwork content at step 735 and the method of FIG. 7 continues to step740. If no difference is detected, the method of FIG. 7 continues tostep 740.

The actual behavior is compared with expected behavior for a virtualenvironment network at step 740. If any difference is detected betweenthe actual behavior and the expected behavior, the network dataassociated with the behavior is identified and processed as maliciousnetwork content and the process of FIG. 7 then ends. If no difference isdetected, the suspicious network data is not identified as maliciousnetwork content.

In some embodiments, scheduler 140 can detect malicious content from thebehavior of a virtual environment application, virtual environmentoperating system, or virtual environment network “on the fly” orinstantly during replay of the suspicious content in the virtualenvironment rather than waiting until suspicious content replay has beencompleted. As suspicious content is replayed, scheduler 140 may compareeach incremental behavior of a virtual environment application,operating system, or network to the corresponding next expectedincremental behavior. If the next actual incremental behavior does notmatch the next expected incremental behavior, the suspicious contentresponsible for the actual behavior is immediately identified asmalicious network content and the malicious network content isprocessed. By comparing the expected behavior and actual behavior duringreplay rather than after replay has completed, malicious network contentcan be identified during the replay of the suspicious content (i.e., “onthe fly”) and subsequent occurrences of the malicious network contentcan be detected more quickly.

FIG. 8 is a flow chart of an exemplary method for identifying andprocessing malicious network content. In some embodiments, the method ofFIG. 8 provides more detail for step 435 of the method of FIG. 4. First,an identifier is created for malicious network content at step 805. Theidentifier may be generated at least in part based on information withinthe malicious network data.

Network content data associated with malicious network content is thencollected at step 810. The collected network content data associatedwith the malicious network content may include the data packets thatinclude the identified malicious network content, code retrieved by themalicious network content, source information that provided themalicious network content, and other data.

After collecting network content data, a heuristic is generated toidentify the subsequent malicious network content associated with themalicious content data at step 815. The heuristic is generated such thatit may identify network data copied and provided by network tap 115. Insome embodiments, the heuristic is a signature of the network contentdata. In some embodiments, the signature can include or be derived fromdata packets comprising the malicious network data, an identification ofthe application that processed the malicious data, a byte sequence ofthe malicious data, and other data that is capable of identifying themalicious network data within a stream of network data received over anetwork.

The generated heuristic is then provided to heuristic module 130 withinsystem 125 at step 820. Once provided to heuristic module 130, theheuristic module 130 may apply the heuristic to network data retrievedby network tap 115 and provided to malicious network content detectionsystem 125.

In some embodiments, a signature may be generated immediately upondetecting the malicious network content, such that the signature can beapplied to subsequent network content with minimal delay. Generating andapplying the signature immediately against subsequent network contentenables the present system to provide real-time detection and protectionagainst malicious network content. For example, if a virtual environmentagent 330 detects that network content improperly changes a virtualenvironment operating system setting, the agent, scheduler, or heuristicmodule (or a combination of these) may generate a signature for thecorresponding network content. The heuristic module may then apply thesignature to subsequent network traffic copied by network tap 115. Ifany network content in subsequent network traffic matches the signature,the subsequent network traffic can be blocked or otherwise containedwithout affecting client 110.

In addition to providing heuristics against subsequent or futuremalicious network content, measures may be taken to remove the maliciousnetwork content from computing systems which have already been infectedby the content. Script code is created for disinfecting live environmentcomponents at step 825. The script code is generated for the purpose ofrestoring a real environment component from damage caused by themalicious network content. The created script code is then distributedand executed among computers suspected of receiving the maliciousnetwork content at step 830.

Identifying and processing malicious network content is furtherdiscussed in U.S. patent application Ser. No. 12/263,971, filed on Nov.3, 2008, entitled, “Systems and Methods for Detecting Malicious NetworkContent”, which is incorporated by reference herein in its entirety.

FIG. 9 is a block diagram of an exemplary malicious network contentdetection device. In some embodiments, the method of FIG. 9 providesmore detail for system 125 in FIG. 1. The malicious network contentdetection system comprises at least one or more processors 905, memorysystem 910, and storage system 915, each of which can be coupled to adata bus 920. In some embodiments, data bus 920 may be implemented asone or more data buses. The malicious network content detection systemmay also comprise a communication network interface 925, an input/output(I/O) interface 930, and a display interface 935. The communicationnetwork interface 925 may couple with the network 120 via acommunication medium 940. In some embodiments, the malicious networkcontent detection system may couple to a network tap, such as thenetwork tap 115, which in turn couples with the communication network120. The bus 920 provides communications between the communicationsnetwork interface 925, the processor 905, the memory system 910, thestorage system 915, the I/O interface 930, and the display interface935.

The communications network interface 925 may communicate with otherdigital devices (not shown) via the communications medium 540. Theprocessor 905 executes instructions which may be stored on a processorreadable storage medium. The memory system 910 may store datapermanently or temporarily. Some examples of the memory system 910include RAM and ROM. The storage system 915 also permanently ortemporarily stores data. Some examples of the storage system 915 arehard disks and disk drives. The I/O interface 930 may include any devicethat can receive input and provide output to a user. The I/O interface930 may include, but is not limited to, a keyboard, a mouse, a touchscreen, a keypad, a biosensor, a compact disc (CD) drive, a digitalversatile disc (DVD) drive, optical disk drive, or a floppy disk drive.The display interface 935 may include an interface configured to supporta display, monitor, or screen. In some embodiments, the maliciousnetwork content detection system comprises a graphical user interface tobe displayed to a user over a monitor in order to allow the user tocontrol the malicious network content detection system.

The foregoing detailed description of the technology herein has beenpresented for purposes of illustration and description. It is notintended to be exhaustive or to limit the technology to the precise formdisclosed. Many modifications and variations are possible in light ofthe above teaching. The described embodiments were chosen in order tobest explain the principles of the technology and its practicalapplication to thereby enable others skilled in the art to best utilizethe technology in various embodiments and with various modifications asare suited to the particular use contemplated. It is intended that thescope of the technology be defined by the claims appended hereto.

What is claimed is:
 1. A computer implemented method for detectingmalicious network content by a network content processing system,comprising: receiving network content detected to be suspicious;identifying a real application that is affected by the suspiciousnetwork content; providing a virtual environment component that isassociated with the identified real application and selected from avirtual environment component pool to a virtual environment; configuringthe virtual environment component within a virtual environment to mimicthe identified real application to process the suspicious networkcontent within the network content processing system, the virtualenvironment being one of a plurality of concurrently existing virtualenvironments within the network content processing system, each virtualenvironment of the concurrently existing virtual environments includinga respective virtual environment operating system to process respectivesuspicious network content to detect whether the respective suspiciousnetwork content contains malicious network content; processing thesuspicious network content using the virtual environment componentwithin the virtual environment, the virtual environment componentoperating as a browser application which provides the suspicious networkcontent for rendering as at least part of a content page; andidentifying the suspicious network content as malicious network contentbased on a behavior of the virtual environment component.
 2. Thecomputer implemented method of claim 1, wherein the suspicious networkcontent includes one or more data packets associated with a suspiciouscharacteristic.
 3. The computer implemented method of claim 2, whereinthe one or more data packets comprise a copy of an original group of oneor more data packets configured to be processed at least in part by areal application executing within a real environment.
 4. The computerimplemented method of claim 1, wherein the network content is a copy ofnetwork content.
 5. The computer implemented method of claim 1, whereinthe virtual environment component comprises the virtual environmentoperating system.
 6. The computer implemented method of claim 5, furthercomprising monitoring changes to the virtual environment operatingsystem by an agent, the suspicious network content identified asmalicious network content based on detected improper changes to thevirtual environment operating system.
 7. The computer implemented methodof claim 1, wherein processing the suspicious network content includesdetermining an observed behavior of the virtual environment componentdiffers from an expected behavior of the virtual environment component.8. The computer implemented method of claim 7, wherein the observedbehavior includes one or more actions performed by executable codecontained within the suspicious network content.
 9. The computerimplemented method of claim 1, further comprising: generating asignature to identify subsequent network content that matches themalicious network content; and applying the signature to subsequentlyreceived network content.
 10. The computer implemented method of claim1, wherein the virtual environment component pool is located within thenetwork content processing system.
 11. The computer implemented methodof claim 1 wherein the virtual environment component pool comprises atleast one of i), ii) and iii) below: i) each of the virtual environmentoperating system instances; ii) a plurality of virtual environmentnetwork instances; iii) a plurality of virtual environment agents eachconfigurable to monitor behavior of a respective one or more virtualenvironment components within the virtual environment including thevirtual environment component processing the suspicious network content.12. The computer implemented method of claim 1 wherein the virtualenvironment component is provided with a scheduler coupled to thevirtual environment component pool.
 13. The computer implemented methodof claim 12 further comprising: identifying the virtual environmentcomponent for providing to the virtual environment based on informationobtained from one or more of a group of sources including information innetwork content, information from a reporting server on one or morecomputers exposed to the network content, and information stored withinthe network content processing system.
 14. The computer implementedmethod of claim 1 wherein the virtual environment component poolcomprises a plurality of virtual environment agents each configurable tomonitor state of a respective one or more virtual environment componentswithin the virtual environment.
 15. The computer implemented method ofclaim 1 wherein the virtual environment operating system is implementedas code that emulates an operating system.
 16. A computer implementedmethod for processing network content by a network content processingsystem, comprising: receiving suspicious network content from a networkinterface, the suspicious network content associated with the networkcontent communicated over a network; identifying a real application thatis affected by the suspicious network content; providing a virtualenvironment component that is associated with the identified realapplication and selected from a virtual environment component pool to avirtual environment, the virtual environment component including avirtual environment operating system for the virtual environment;configuring an agent to monitor processing of the suspicious networkcontent within the virtual environment and monitor changes to thevirtual environment operating system; configuring the virtualenvironment component to mimic the real application to process thesuspicious network content within the virtual environment, the virtualenvironment being one of a plurality of concurrently existing virtualenvironments, each virtual environment of the concurrently existingvirtual environments to operate on respective suspicious network contentfrom the network interface, each concurrently existing virtualenvironment including a respective virtual environment operating systemto process respective suspicious network content to detect whether therespective suspicious network content contains malicious networkcontent; detecting at least one anomaly associated with the virtualenvironment component using the agent, the at least one anomalyincluding improper changes to the virtual environment operating systemof the virtual environment that identifies that the suspicious networkcontent contains malicious network content; and generating a signaturefrom the suspicious network content to apply to subsequent networkcontent.
 17. The computer implemented method of claim 16, wherein theagent is further configured to monitor changes to the virtualenvironment operating system of the virtual environment.
 18. Thecomputer implemented method of claim 16, wherein the agent is furtherconfigured to initiate generation of the signature based on detectingthe at least one anomaly.
 19. The computer implemented method of claim16, wherein the agent is further configured to monitor behavior of avirtual environment application within the virtual environment.
 20. Thecomputer implemented method of claim 19, wherein the virtual environmentapplication is configured to mimic a browser application.
 21. Thecomputer implemented method of claim 19, wherein the virtual environmentapplication is configured with a proxy address, wherein the agent isfurther configured to detect whether code within the suspicious networkcontent and executed by the virtual environment application attempts totransmit data over a network without the proxy address.
 22. The computerimplemented method of claim 16, wherein the virtual environmentcomponent pool is located within the network content processing system.23. The computer implemented method of claim 16 wherein the virtualenvironment component pool comprises at least one of i), ii) and iii)below: i) each of the virtual environment operating system instances;ii) a plurality of virtual environment network instances; iii) aplurality of virtual environment agents each configurable to monitorbehavior of a respective one or more virtual environment componentswithin the virtual environment including the virtual environmentcomponent during processing of the suspicious network content.
 24. Thecomputer implemented method of claim 16 wherein the virtual environmentcomponent is provided with a scheduler coupled to the virtualenvironment component pool.
 25. The computer implemented method of claim24 further comprising: identifying the virtual environment component forproviding to the virtual environment based on information obtained fromone or more of a group of sources including information in networkcontent, information from a reporting server on one or more computersexposed to the network content, and information stored within thenetwork content processing system.
 26. The computer implemented methodof claim 16 wherein the virtual environment operating system isimplemented as code that emulates an operating system.
 27. The computerimplemented method of claim 16 wherein the virtual environment componentpool comprises a plurality of virtual environment agents eachconfigurable to monitor state of a respective one or more virtualenvironment components within the virtual environment.
 28. A system fordetecting malicious network content, comprising: a network interface; afirst module executable by a processor that accesses suspicious networkcontent; a scheduler that identifies a real application that is affectedby the suspicious network content, provides a virtual environmentcomponent that is associated with the real application and selected froma virtual environment component pool, configures the virtual environmentcomponent to mimic the real application and operate as a browserapplication which provides the suspicious network content for renderingas at least part of a content page, the virtual environment componentpart of a virtual environment, the virtual environment being one of aplurality of concurrently existing virtual environments, each virtualenvironment of the concurrently existing virtual environments includinga respective virtual environment operating system and to processrespective suspicious network content received from the networkinterface to process respective suspicious network content to detectwhether the respective suspicious network content contains maliciousnetwork content; and a replayer that operates in combination with thevirtual environment operating system of the virtual environment toprocess the suspicious network content.
 29. The system of claim 28,further comprising an agent configured to detect changes to the virtualenvironment component within the virtual environment.
 30. The system ofclaim 29, wherein the agent detects changes to the virtual environmentoperating system.
 31. The system of claim 29, wherein the agent isconfigured to detect unexpected changes by a process to the virtualenvironment component.
 32. The system of claim 29, wherein the agent isconfigured to detect unexpected changes to settings of the virtualenvironment component.
 33. The system of claim 29, wherein the agent isconfigured to detect unexpected changes by monitoring behavior of thevirtual environment component including one or more of requests fordata, sending or receiving data over a network, processing and/orstoring data.
 34. The system of claim 29, wherein the agent isconfigured to monitor state of the virtual environment component, thestate includes a snapshot of values representing settings and parametersof the virtual environment.
 35. The system of claim 34, wherein thevalues represent state and parameters including one or more of errorconditions, interrupts, and availability of a buffer.
 36. The system ofclaim 29, wherein the agent resides in the virtual environment.
 37. Thesystem of claim 29, wherein the agent is further configured to detect,log, store, and report behavior of the virtual environment component.38. The system of claim 29, wherein the agent is configured to detectbehavior in the browser application being the virtual environmentcomponent.
 39. The system of claim 29, wherein, the virtual environmentcomponent operating as the browser application is configured to receiveand process suspicious content data, and execute any executable codewithin the data.
 40. The system of claim 39, wherein the executable codeattempts to transmit a message over a virtual network, including arequest to a server.
 41. The system of claim 28, wherein the schedulerretrieves the virtual environment component operating as the browserapplication.
 42. The system of claim 28, wherein the scheduler enablesthe virtual-environment operating system.
 43. The system of claim 28,further comprising heuristics logic that generates a signature based onthe suspicious network content and applies the signature to subsequentnetwork content.
 44. The system of claim 28, wherein the virtualenvironment component pool is located within the system.
 45. The systemof claim 28, wherein the virtual environment operating system isimplemented as code that emulates an operating system.
 46. The system ofclaim 28, wherein the agent is configured to monitor changes made to thevirtual environment operating system, including one or more of a settingchanged to an improper value or an improper procedure used to change asetting to the virtual environment operating system, and to detect codeassociated with suspicious network content that performed the change.47. The system of claim 28, wherein the virtual environment isconfigured to include virtual hardware to mimic one or more of ahardware protocol, ports, and other behavior of real hardware.
 48. Thesystem of claim 28, wherein the replayer replays network content in avirtual environment network by receiving and transmitting communicationswith the virtual environment operating system of the virtual environmentover the virtual environment network.
 49. The system of claim 28,wherein the virtual environment is configured to process and implementtransmission of the suspicious network content in a manner thatsimulates the processing and transmission of data by a real network. 50.A non-transitory computer readable storage medium having stored thereoninstructions executable by a processor for performing a method fordetecting malicious network content, the method comprising: receivingsuspicious network content from a network interface; identifying a realapplication that is affected by the suspicious network content;providing a virtual environment component that is associated with thereal application and selected from a virtual environment component poolto a virtual environment, the virtual environment component operating asa browser application which provides the suspicious network content forrendering as at least part of a content page; configuring the virtualenvironment component within the virtual environment to mimic a realapplication to process the suspicious network content within the networkcontent processing system, the virtual environment being one of aplurality of concurrently existing virtual environments, each virtualenvironment of the concurrently existing virtual environments includinga respective virtual environment operating system and beingcommunicatively coupled to the network interface to process respectivesuspicious content received from the network interface to processrespective suspicious network content to detect whether the respectivesuspicious network content contains malicious network content;processing the suspicious network content by the virtual environmentcomponent within a virtual environment; and identifying the suspiciousnetwork content as malicious network content based on a behavior for thevirtual environment component.
 51. The non-transitory computer readablestorage medium of claim 50, wherein the suspicious network contentincludes one or more data packets associated with a suspiciouscharacteristic.
 52. The non-transitory computer readable storage mediumof claim 50, wherein the method further comprises an agent that monitorschanges to the virtual-environment operating system, the suspiciousnetwork content identified as malicious network content based ondetected improper changes to the virtual environment operating system.53. The non-transitory computer readable storage medium of claim 50,wherein processing the suspicious network content includes determiningthat an observed behavior of the virtual environment component differsfrom an expected behavior of the virtual environment component.
 54. Thenon-transitory computer readable storage medium of claim 50, wherein themethod further comprises: generating a signature to identify subsequentnetwork content that matches the suspicious network content; andapplying the signature to subsequently received network content.
 55. Thenon-transitory computer readable storage medium of claim 50, wherein thevirtual environment operating system is implemented as code thatemulates an operating system.
 56. A computer implemented method forprocessing network content by a network content processing system,comprising: receiving suspicious network content from a networkinterface, the suspicious network content associated with the networkcontent communicated over a network; identifying a real application thatis affected by the suspicious network content; providing a virtualenvironment component that is associated with the identified realapplication and selected from a virtual environment component pool to avirtual environment, the virtual environment component operating as abrowser application that renders the suspicious network content as atleast part of a content page; configuring an agent to monitor processingof the suspicious network content within the virtual environment;configuring the virtual environment component to mimic the realapplication to process the suspicious network content within the virtualenvironment, the virtual environment being one of a plurality ofconcurrently existing virtual environments, each virtual environment ofthe concurrently existing virtual environments to operate on respectivesuspicious network content from the network interface, each concurrentlyexisting virtual environment including a respective virtual environmentoperating system to process respective suspicious network content todetect whether the respective suspicious network content containsmalicious network content; detecting at least one anomaly associatedwith the virtual environment component using the agent; and generating asignature from the suspicious network content to apply to subsequentnetwork content.
 57. The computer implemented method of claim 56,wherein the virtual environment operating system is implemented as codethat emulates an operating system.
 58. A system for detecting maliciousnetwork content, comprising: a network interface; a processor; and amemory coupled to the processor, the memory comprises software that,when executed by the processor, performs operations including:identifying a real application that is affected by suspicious networkcontent received from the network interface, the suspicious networkcontent communicated over a network; providing a virtual environmentcomponent that is associated with the identified real application andselected from a virtual environment component pool to a virtualenvironment, the virtual environment component being a virtualenvironment operating system of the virtual environment; configuring anagent to monitor processing of the suspicious network content within thevirtual environment and monitor changes to the virtual environmentoperating system; configuring the virtual environment component to mimicthe real application to process the suspicious network content withinthe virtual environment, the virtual environment being one of aplurality of concurrently existing virtual environments, each virtualenvironment associated with a respective virtual environment operatingsystem to process suspicious network content to detect whether thesuspicious network content contains malicious network content; detectingat least one anomaly associated with the virtual environment componentusing the agent, the at least one anomaly including improper changes tothe virtual environment operating system of the virtual environment thatidentifies that the suspicious network content contains maliciousnetwork content; and generating a signature from the suspicious networkcontent to apply to subsequent network content.
 59. The system of claim58, further comprising an agent stored within the memory, the agentbeing configured to detect unexpected changes to settings of the virtualenvironment component.
 60. The system of claim 58, wherein the agent isfurther configured to initiate generation of the signature based ondetecting the at least one anomaly.
 61. The system of claim 58, whereinthe agent is further configured to monitor behavior of a virtualenvironment application within the virtual environment.
 62. The systemof claim 61, wherein the agent is configured to detect unexpectedchanges in the monitored behavior of the virtual environment componentincluding one or more of requests for data, sending or receiving dataover a network, processing and/or storing data.
 63. The system of claim58, wherein the agent is configured to monitor state of the virtualenvironment component, the state includes a snapshot of valuesrepresenting settings and parameters of the virtual environment.
 64. Thesystem of claim 63, wherein the values represent state and parametersincluding one or more of error conditions, interrupts, and availabilityof a buffer.
 65. The system of claim 58, wherein the agent resides inthe virtual environment.
 66. The system of claim 58, wherein the virtualenvironment is configured to include virtual hardware to mimic one ormore of a hardware protocol, ports, and other behavior of real hardware.67. The system of claim 58, wherein the virtual environment applicationis configured to mimic a browser application.
 68. The system claim 58,wherein the virtual environment operating system is implemented as codethat emulates an operating system.
 69. The system of claim 58, whereinthe agent is further configured to detect, log, store, and reportbehavior of the virtual environment component.